-
-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML Injection in uptime-kuma Status page #4774
Comments
It is a feature that users can add html code. Also it can be edited after logged in only. No unauthorized attacker can do this. The implementation here: uptime-kuma/src/pages/StatusPage.vue Lines 580 to 602 in 88b7c04
|
It is also sanitised. Given that no such advisory has been published by the |
@muhammadahmad62 said:
But my point is everything can be done by admin only. I don't think admins would hack their own Uptime Kuma. Also for examples, applications like Wordpress, GitHub (Code editor) also allow users to edit html code and deploy to production, are they exploited for Form Hijacking Vulnerabilities too? |
DO NOT PROVIDE ANY DETAILS HERE. Please privately report to https://github.com/louislam/uptime-kuma/security/advisories/new.
Why need this issue? It is because GitHub Advisory do not send a notification to @louislam, it is a workaround to do so.
Your GitHub Advisory URL:
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-ffvm-p92q-25c3
The text was updated successfully, but these errors were encountered: